b"                     OFFICE   OF   INSPECTOR GENERAL\n\n\n\n\nAudit Report                                                  2012-AA-C-002\n\n\n\n\n            2012 Audit of the\n  Consumer Financial Protection Bureau\xe2\x80\x99s\n      Information Security Program\n\n\n\n\n                          November 15, 2012\n\n\n\n               BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM\n                    CONSUM ER FIN ANC IAL PR OTEC TION B UR EAU\n\x0cReport Contributors\n  Khalid Hasan, OIG Manager\n  Joshua Dieckert, Auditor-in-Charge\n  Paul Vaclavik, IT Auditor\n  Ed Fernandez, Auditor\n  Peter Sheridan, Senior OIG Manager\n  Andrew Patchan Jr., Associate Inspector General for Audits and Attestations\n\nAbbreviations\nCFPB               Consumer Financial Protection Bureau\nFISMA              Federal Information Security Management Act of 2002\nNIST               National Institute of Standards and Technology\nOIG                Office of Inspector General\nSP 800-53          Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information\n                   Systems and Organizations\nTreasury           Department of the Treasury\n\x0c                                 Executive Summary:\n                                 2012 Audit of the\n                                 Consumer Financial Protection Bureau\xe2\x80\x99s\n                                 Information Security Program\n\n2012-AA-C-002                                                                                        November 15, 2012\n\nPurpose                                  Findings\n\nTo meet our annual Federal               Overall, we found that the CFPB has taken several steps to develop,\nInformation Security Management          document, and implement an information security program. For example, the\nAct of 2002 (FISMA) reporting            CFPB has drafted agency-wide information security and acceptable use\nresponsibilities, we reviewed the        policies, as well as procedures for continuous monitoring and risk\ninformation security program and         management. In addition, the CFPB has developed an inventory of FISMA-\npractices of the Consumer Financial      reportable systems and a baseline of security controls for its information\nProtection Bureau (CFPB).                systems. However, we found that additional steps are needed to fully\n                                         develop, document, and implement an information security program that is\nBackground                               consistent with FISMA.\n\nFISMA requires federal agencies to       Recommendations\ndevelop, document, and implement\nan agency-wide information               We recommend that the Chief Information Officer develop and implement a\nsecurity program. FISMA also             comprehensive information security strategy that identifies specific goals,\nrequires each agency inspector           objectives, milestones, and resources to establish a FISMA-based information\ngeneral to conduct an annual             security program; finalize the agency-wide information security policy and\nindependent evaluation of its            develop procedures to facilitate the implementation of the policy; and analyze\nagency\xe2\x80\x99s information security            the CFPB's contractor oversight processes and information security controls\nprogram and practices.                   for additional contractor-operated systems and take actions, as necessary, to\n                                         ensure that FISMA and CFPB information security requirements are met.\n\n                                         Management\xe2\x80\x99s Response\n\n                                         In comments to a draft of our report, the CFPB Chief Information Officer\n                                         concurred with our recommendations and outlined actions that have been\n                                         taken, are underway, and planned to strengthen CFPB\xe2\x80\x99s information security\n                                         program.\n\n\n\n\nAccess the full report: http://www.federalreserve.gov/oig/oig_rpt_2012.htm\nFor more information, contact the OIG at 202-973-5000 or visit http://www.consumerfinance.gov/oig.\n\x0cSummary of Recommendations, Report No. 2012-AA-C-002\n Rec. no.   Report page no.                     Recommendation                               Responsible office\n   1              5           Develop and implement a comprehensive                    Office of the\n                              information security strategy that identifies specific   Chief Information Officer\n                              goals, objectives, milestones, and resources to\n                              establish a FISMA-based information security\n                              program.\n   2              5           Finalize the CFPB\xe2\x80\x99s agency-wide information              Office of the\n                              security policy and develop procedures to facilitate     Chief Information Officer\n                              the implementation of the policy.\n   3              5           Analyze the CFPB's contractor oversight processes        Office of the\n                              and information security controls for additional         Chief Information Officer\n                              contractor-operated systems and take actions, as\n                              necessary, to ensure that FISMA and CFPB\n                              information security requirements are met.\n\x0cNovember 15, 2012\n\nMEMORANDUM\n\nTO:            Chris Willey\n               Chief Information Officer, Consumer Financial Protection Bureau\n\nFROM:          Andrew Patchan Jr.\n               Associate Inspector General for Audits and Attestations\n\nSUBJECT:       OIG Report: 2012 Audit of the Consumer Financial Protection Bureau\xe2\x80\x99s Information\n               Security Program\n\nThe Office of Inspector General (OIG) of the Consumer Financial Protection Bureau (CFPB) is\npleased to present the results of our audit of the CFPB\xe2\x80\x99s information security program. As the CFPB\ncontinues to enhance its information security program, we are providing three recommendations that\nwe believe will further strengthen the CFPB\xe2\x80\x99s efforts to meet Federal Information Security\nManagement Act of 2002 requirements.\n\nWe provided a draft of our report to you for review and comment. In your response, included as\nappendix A, you concurred with our recommendations and outlined actions that have been taken, are\nunderway, and planned to strengthen CFPB\xe2\x80\x99s information security program. As part of our audit, we\nalso reviewed security controls for a contractor-operated system. The results of our review of security\ncontrols for this system will be transmitted under separate, restricted cover. In addition, we will utilize\nthe results of our review of the CFPB\xe2\x80\x99s information security program and practices to respond to\nspecific questions in the Department of Homeland Security\xe2\x80\x99s FY 2012 Inspector General Federal\nInformation Security Management Act Reporting Metrics. We appreciate the cooperation we received\nfrom the CFPB during our review. Please contact me if you would like to discuss this report or any\nrelated issues.\n\ncc:   Victor Prince, Chief Operating Officer, CFPB\n      Zach Brown, Chief Information Security Officer, CFPB\n      Marla A. Freedman, Assistant Inspector General for Audit, Office of Inspector General,\n         Department of the Treasury\n      Mark Bialek, Inspector General\n      J. Anthony Ogden, Deputy Inspector General\n\x0cContents\n\n\nIntroduction .............................................................................................................. 1\n          Objectives........................................................................................................ 1\n          Background ..................................................................................................... 1\nFindings .................................................................................................................... 3\n          Comprehensive Strategy Should Be Developed to Implement a\n          FISMA-based Information Security Program ................................................... 3\n          Information Security Policy Should Be Finalized and Implementing\n          Procedures Developed .................................................................................... 4\n          Information Security Oversight Should Be Strengthened for\n          Contractor-operated Systems.......................................................................... 4\nRecommendations ................................................................................................... 5\nManagement\xe2\x80\x99s Response ........................................................................................ 5\nAppendix A\xe2\x80\x94Management\xe2\x80\x99s Response ................................................................. 6\nAppendix B\xe2\x80\x94Scope and Methodology .................................................................. 9\n\x0cIntroduction\n\n\nObjectives\n          Our specific audit objectives, based on the Federal Information Security Management Act of\n          2002 (FISMA), were to evaluate the effectiveness of the Consumer Financial Protection\n          Bureau\xe2\x80\x99s (CFPB\xe2\x80\x99s) security controls and techniques and CFPB\xe2\x80\x99s compliance with FISMA and\n          related information security policies, procedures, standards, and guidelines. Our scope and\n          methodology are detailed in appendix A.\n\n\nBackground\n          FISMA provides a framework for ensuring the effectiveness of information security controls\n          over federal operations and assets and a mechanism for oversight of federal information\n          security programs. 1 FISMA requires agencies to develop, document, and implement an\n          agency-wide information security program to provide information security for the information\n          and information systems that support the operations and assets of the agency, including those\n          provided by another agency, contractor, or other source. Agency information security\n          programs must provide for, among other things, periodic risk assessments, policies and\n          procedures based on the risk assessments, periodic testing and evaluation of the effectiveness\n          of policies and procedures, security planning, security awareness training, and continuity of\n          operations. FISMA also requires each agency inspector general to perform an annual\n          independent evaluation of the information security program and practices of its respective\n          agency to determine the effectiveness of such program and practices.\n\n          The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 created the CFPB\n          and charged it with the responsibility of regulating the offering and provisioning of consumer\n          financial products and services.2 The CFPB formally began operations in July 2011 with a\n          central mission of making markets for consumer financial products and services work for\n          Americans. The CFPB has established an Office of the Chief Information Officer, which is\n          responsible for the implementation and maintenance of an agency-wide information security\n          program.\n\n          In our 2011 FISMA audit report, we noted that as the CFPB began operations, it was relying\n          on the information security program and systems of the Department of the Treasury\n          (Treasury). Since then, the CFPB has begun to develop its agency-wide information security\n          program using the National Institute of Standards and Technology (NIST) Risk Management\n          Framework as a model.3 As part of this approach, the agency is developing processes to\n\n\n1.   Title III, Pub. L. No. 107-347 (December 17, 2002).\n2.   Pub. L. No. 111-203, Title X, 124 Stat. 1955 (July 21, 2010).\n3.   NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A\n     Security Life Cycle Approach, February 2010.\n\n\n\n2012-AA-C-002                                                                                                                    1\n\x0c    promote near real-time risk management and on-going system authorization. The CFPB is\n    also leveraging shared services and cloud computing with the objective of balancing risk, cost,\n    and desired functionality. In addition, the CFPB continues to rely on Treasury for certain\n    information security services, including those for remote access, configuration management,\n    incident response, and identification and authentication.\n\n\n\n\n2                                                                                   2012-AA-C-002\n\x0cFindings\n\n\n       Overall, we found that the CFPB has taken several steps to develop, document, and implement\n       an information security program. For example, the CFPB has drafted agency-wide\n       information security and acceptable use policies, as well as procedures for continuous\n       monitoring and risk management. In addition, the CFPB has developed an inventory of\n       FISMA-reportable systems and a baseline of security controls for CFPB information systems.\n       However, we found that additional steps are needed to fully develop, document, and\n       implement an information security program that is consistent with FISMA.\n\n\nComprehensive Strategy Should Be Developed to Implement a\nFISMA-based Information Security Program\n       The CFPB has not established a comprehensive information security strategy to guide\n       the implementation of an agency-wide information security program. CIO officials\n       stated that this strategy has not been developed because the agency has been focused\n       on formalizing organizational structures and achieving operational capabilities. In\n       addition, an adequate information security strategy should align with CFPB\n       organizational and business level strategies, which are still being developed. The\n       CFPB has issued a draft strategic plan for 2013\xe2\x80\x932018 outlining its goals, desired\n       outcomes, performance measures, and performance indicators at the organizational\n       level. To promote transparency, the agency has asked the public for comments and\n       feedback on the plan.\n\n       NIST Special Publication 800-100, Information Security Handbook: A Guide for\n       Managers, recommends as a best practice that federal organizations establish a\n       comprehensive strategy to enable the development, institutionalization, assessment,\n       and improvement of an agency-wide information security program. The strategy\n       should be documented in an information security strategic plan and include a high-\n       level plan for achieving information security goals and objectives, including short- and\n       mid-term objectives and performance targets.\n\n       In the absence of an information security strategy, the CFPB\xe2\x80\x99s efforts to implement an\n       agency-wide information security program may not adequately align with the goals\n       and needs of the agency. As the CFPB continues to enhance its information security\n       program, we recommend that the Chief Information Officer (CIO) develop and\n       implement a comprehensive information security strategy that identifies specific goals,\n       objectives, milestones, and resources to establish a FISMA-based information security\n       program.\n\n\n\n\n2012-AA-C-002                                                                                   3\n\x0cInformation Security Policy Should Be Finalized and Implementing\nProcedures Developed\n          The CFPB has developed a draft agency-wide information security policy that delineates roles\n          and responsibilities and specifies minimum information security controls for all agency\n          systems. The CFPB has also developed draft procedures for continuous monitoring and risk\n          management. While we found that the Chief Information Officer was performing several\n          FISMA-based information security activities, the CFPB\xe2\x80\x99s agency-wide information security\n          policy and procedures were not finalized. CIO officials stated that the agency was focused on\n          formalizing organizational structures and achieving operational capabilities. As such, it had\n          not prioritized the completion of agency-wide information security policy and procedures.\n\n          FISMA requires that an agency\xe2\x80\x99s information security program include policies and\n          procedures that (1) are based on risk assessments, (2) cost effectively reduce information\n          security risks to an acceptable level, and (3) ensure that information security is addressed\n          throughout the life cycle of each agency information system. In addition, NIST Special\n          Publication 800-53, Revision 3, Recommended Security Controls for Federal Information\n          Systems and Organizations (SP 800-53), recommends that information security policies\n          address purpose, scope, roles, responsibilities, management commitment, coordination among\n          organization entities, and compliance. SP 800-53 also recommends the development of\n          formal, documented procedures to facilitate the implementation of the policies.\n\n          As a result of the lack of an agency-wide information security policy and procedures, we\n          found inconsistent information security processes, undefined roles and responsibilities, and\n          limited documentation to support risk-based decisions. In addition, we identified a contractor-\n          operated system that did not meet a number of FISMA and NIST requirements. As such, we\n          recommend that the CIO finalize the CFPB\xe2\x80\x99s agency-wide information security policy and\n          develop procedures to facilitate the implementation of the policy.\n\n\nInformation Security Oversight Should Be Strengthened for\nContractor-operated Systems\n          The CFPB utilizes a number of contractor-operated systems, including several that are hosted\n          in a cloud environment. As part of its contractor oversight process, the CFPB performs\n          security assessments and receives periodic security updates for contractor-operated systems.\n          For a contractor-operated system that we reviewed, we found that the CFPB needs to improve\n          its oversight process to ensure that FISMA requirements are met. We identified a number of\n          management, operational, and technical control weaknesses for this system. 4 According to\n          CIO officials, these weaknesses existed primarily because the CFPB did not have enough staff\n          to effectively monitor the contractor\xe2\x80\x99s compliance with FISMA requirements.\n\n          FISMA requires agencies to provide information security controls for information systems\n          used or operated by an agency, including those provided by a contractor of an agency. In\n          addition, SP 800-53 requires organizations to define and document government oversight and\n          user roles and responsibilities regarding external information security services as well as\n          monitor security control compliance by external service providers.\n\n\n4.   The results of our review of the contractor-operated system will be transmitted under separate, restricted cover.\n\n\n\n4                                                                                                                        2012-AA-C-002\n\x0c       Based on the weaknesses we identified, the CFPB has limited assurance that FISMA and\n       CFPB information security requirements are being met for the contractor-operated system that\n       we reviewed. We will provide the results of our review of this system and specific\n       recommendations under separate, restricted cover. Based on our findings regarding this\n       system, we recommend that the CIO analyze the CFPB's contractor oversight processes and\n       information security controls for additional contractor-operated systems and take actions, as\n       necessary, to ensure that FISMA and CFPB information security requirements are met.\n\n\nRecommendations\n       We recommend that the Chief Information Officer:\n\n       1. Develop and implement a comprehensive information security strategy that identifies\n          specific goals, objectives, milestones, and resources to establish a FISMA-based\n          information security program.\n\n       2. Finalize the CFPB\xe2\x80\x99s agency-wide information security policy and develop procedures to\n          facilitate the implementation of the policy.\n\n       3. Analyze the CFPB's contractor oversight processes and information security controls for\n          additional contractor-operated systems and take actions, as necessary, to ensure that\n          FISMA and CFPB information security requirements are met.\n\n\nManagement\xe2\x80\x99s Response\n       In comments to a draft of our report, included as appendix A, the CFPB Chief Information\n       Officer concurred with our recommendations and outlined actions that have been taken, are\n       underway, and planned to strengthen CFPB\xe2\x80\x99s information security program.\n\n\n\n\n2012-AA-C-002                                                                                       5\n\x0cAppendix A\nManagement\xe2\x80\x99s Response\n\n\n\n\n6                       2012-AA-C-002\n\x0c2012-AA-C-002   7\n\x0c8   2012-AA-C-002\n\x0cAppendix B\nScope and Methodology\n\n       To accomplish our audit objectives, we reviewed the CFPB\xe2\x80\x99s program-level information\n       security policies and procedures, analyzed system security documentation, met with CFPB\n       information security officials and contractors, and observed and tested specific system\n       controls. We also reviewed the CFPB\xe2\x80\x99s information security policies, procedures, and\n       controls for a select contractor-operated system listed on the CFPB\xe2\x80\x99s FISMA inventory. Our\n       audit scope did not include a review of information security controls for Treasury information\n       systems used by the CFPB.\n\n       We conducted our fieldwork from July 2012 to October 2012 in accordance with generally\n       accepted government auditing standards. Those standards require that we plan and perform\n       the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n       findings and conclusions based on our audit objectives. We believe that the evidence we\n       obtained provides a reasonable basis for our findings and conclusions.\n\n       As noted, the CFPB relies on certain security services that are part of Treasury\xe2\x80\x99s information\n       security program. These services include remote access, configuration management, incident\n       response, and identification and authentication. As part of our response to the Department of\n       Homeland Security\xe2\x80\x99s FISMA reporting questions for inspectors general, submitted under\n       separate cover, we relied on the work performed by the Treasury OIG, as part of its FISMA\n       review of Treasury\xe2\x80\x99s information security program, for these services. We performed\n       sufficient, appropriate procedures to meet generally accepted government auditing standards\n       requirements for relying on the work of the Treasury OIG, including the following:\n\n       \xe2\x80\xa2   We obtained evidence on the qualifications and independence of contractor staff\n           performing the FISMA audit of Treasury for the Treasury OIG.\n       \xe2\x80\xa2   We reviewed Treasury OIG\xe2\x80\x99s FISMA audit plan, audit report, and work paper\n           documentation.\n       \xe2\x80\xa2   We met with Treasury OIG officials to gain an understanding of how they performed their\n           FISMA oversight of Treasury\xe2\x80\x99s information security program, including reviewing the\n           work performed by contractor staff.\n       \xe2\x80\xa2   We discussed the contractor\xe2\x80\x99s audit approach and results with contractor staff.\n\n\n\n\n2012-AA-C-002                                                                                       9\n\x0c\x0c www.federalreserve.gov/oig\nwww.consumerfinance.gov/oig\n          11/12\n\x0c"